-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flatcar users safe from CVE-2024-3094 #1410
Comments
To add: The 5.6 ebuild files were copied to our Gentoo package repo inside the Note that the investigation is still not finished, because the xz 5.4 release also contains changes from the malicious contributor and we'll have to see if anything further pops up and if there will be a "known-good" 5.4 release we can migrate to. |
Side note: the same author of xz backdoor also did a suspicious change in libarchive, and it was reverted a few days ago. Although it is not clear at the moment if that should be considered a security issue, Gentoo already updated app-arch/libarchive to 3.7.2-r3, by backporting the revert. See also https://bugs.gentoo.org/928146. |
We've downgraded to 5.4.2 as Gentoo did, because this is early enough to exclude most other possibly malicious changes. We can also think of rebuilding the SDK from an older seed SDK but we first need to check if we can use one seed for all channels. Found that this Alpha's SDK would have the same xz-utils version: https://alpha.release.flatcar-linux.net/amd64-usr/3602.0.0/flatcar_production_image_packages.txt |
FYI: Out of precaution, there is this check added recently to upstream Gentoo gentoo/gentoo@8257744 |
Now that all channels were released with xz-utils 5.4.2 to be pre-cautious, let's close. |
Name: lzma/xz + ssh
CVEs: CVE-2024-3094
CVSSs: 10.0
Action Needed: no action needed
Summary:
XZ was compromised, which lead to a RCE vulnerability in distributions that patch OpenSSH to link against libsystemd.
No Flatcar version/release shipped with the compromised xz version (5.6.0+), the latest version of xz in any version of Flatcar was 5.4.6.
Flatcar does not patch OpenSSH to link against libsystemd, so the attack vector was also not possible in Flatcar.
Flatcar users are safe from CVE-2024-3094.
refmap.gentoo: https://bugs.gentoo.org/928134
The text was updated successfully, but these errors were encountered: